[Snort-users] Snort 2.0.5 dropping packets

Fri Dec 19 09:05:02 EST 2003

Any tips / recommendations?

I have a RHLinux 7.0 with 100mb NIC running at 100mb/s and running Snort 1.9.0 running default ruleset plus one custom rule file. The custom rule file has lots of content based rules. Our traffic level is usually around 35mb/s. On this box Snort works flawlessly and does NOT drop any pakcets and never has for years.

Now I built a new Snort server on beefier hardware running RHLinux 8.0 and Snort 2.0.5 and a gig NIC. The network it is on is running at 1000mb/s (gig) though traffic levels are the same as the old network (35mb/s). Yet Snort drops .2% (point 2 percent) of traffic on the default ruleset and when I add my custom rule file (which has a lot of content based rules), Snort drops massive amounts of packets (like 30 to 40%!)

Any ideas why this would happen when it didn't happen on the lower end box running at 100mb/s? Any tips on how I can avoid this? I confirmed that the gig nic is running at 1000mb/s as it should be and the port on the switch it is plugged into is forced at 1000mb/s.


